Threat Research

ASP_Phishing_Targets_Critics_of_Russia

GoogleCloudIntel
ASP_Phishing_Targets_Critics_of_Russia

A Russia state-sponsored threat actor tracked as UNC6293 targeted academics critical of Russia by impersonating the U.S. Department of State and using social engineering to obtain application specific passwords (ASPs) for persistent mailbox access. Two distinct campaigns used tailored phishing lures and residential proxies to maintain access, with Google mitigating the threats and reinforcing security measures like the Advanced Protection Program. #UNC6293 #APT29 #ApplicationSpecificPasswords

Keypoints

  • A Russia state-sponsored actor UNC6293 impersonated the U.S. Department of State to target academics and critics of Russia from April to June 2025.
  • The attacker used social engineering with spoofed emails and tailored phishing lures asking victims to create Google Application Specific Passwords (ASPs).
  • After victims shared ASP codes, attackers gained persistent access to their Gmail accounts through mail clients.
  • Two campaigns were conducted: one with a State Department theme using “ms.state.gov” ASP names and another with Ukrainian and Microsoft themes, both using the same residential proxy infrastructure.
  • Attackers primarily used residential proxies and VPS servers to access victim accounts and reused infrastructure across campaigns.
  • Google detected the activity, secured compromised accounts, and recommended using the Advanced Protection Program (APP) to prevent ASP creation and increase security.
  • Google continues to share findings with the security community to improve threat hunting and user protections.

MITRE Techniques

  • [T1566] Phishing – The attackers sent emails impersonating the U.S. Department of State to lure targets into establishing meetings and sharing ASP codes (‘phishing lures disguised as meeting invitations’).
  • [T1110] Brute Force – Attackers induced victims to create Application Specific Passwords which were then used to access accounts (‘victims share the ASP passcode, attackers establish persistent mailbox access’).
  • [T1078] Valid Accounts – Use of legitimate application specific passwords to maintain persistent access to victim mailboxes (‘attackers set up a mail client to use the ASP’).
  • [T1098] Account Manipulation – Forcing victims to generate ASPs and share them to enable unauthorized access (‘directing victims to create an Application Specific Password’).
  • [T1583] Acquire Infrastructure – Use of residential proxies and VPS servers to connect to victim accounts (‘attackers logged in using residential proxies and VPS servers’).

Indicators of Compromise

  • [IP Addresses] Residential proxy used for attacker infrastructure – 91.190.191.117
  • [File Hash] Lure PDF delivering phishing instructions – SHA256: 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39
  • [Domain] Google account creation link used in lure – https://account.google.com
  • [Application Specific Password Names] “ms.state.gov” (Campaign 1), Ukrainian and Microsoft-themed ASP names (Campaign 2)

Read more: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint